1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2 /* Copyright (c) 2019 Netronome Systems, Inc. */
10 #include <sys/capability.h>
12 #include <sys/utsname.h>
15 #include <linux/filter.h>
16 #include <linux/limits.h>
19 #include <bpf/libbpf.h>
24 #ifndef PROC_SUPER_MAGIC
25 # define PROC_SUPER_MAGIC 0x9fa0
28 enum probe_component {
34 #define BPF_HELPER_MAKE_ENTRY(name) [BPF_FUNC_ ## name] = "bpf_" # name
35 static const char * const helper_name[] = {
36 __BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
39 #undef BPF_HELPER_MAKE_ENTRY
41 static bool full_mode;
43 static bool run_as_unprivileged;
46 /* Miscellaneous utility functions */
48 static bool check_procfs(void)
52 if (statfs("/proc", &st_fs) < 0)
54 if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
60 static void uppercase(char *str, size_t len)
64 for (i = 0; i < len && str[i] != '\0'; i++)
65 str[i] = toupper(str[i]);
68 /* Printing utility functions */
71 print_bool_feature(const char *feat_name, const char *plain_name,
72 const char *define_name, bool res, const char *define_prefix)
75 jsonw_bool_field(json_wtr, feat_name, res);
76 else if (define_prefix)
77 printf("#define %s%sHAVE_%s\n", define_prefix,
78 res ? "" : "NO_", define_name);
80 printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
83 static void print_kernel_option(const char *name, const char *value,
84 const char *define_prefix)
91 jsonw_null_field(json_wtr, name);
95 res = strtol(value, &endptr, 0);
96 if (!errno && *endptr == '\n')
97 jsonw_int_field(json_wtr, name, res);
99 jsonw_string_field(json_wtr, name, value);
100 } else if (define_prefix) {
102 printf("#define %s%s %s\n", define_prefix,
105 printf("/* %s%s is not set */\n", define_prefix, name);
108 printf("%s is set to %s\n", name, value);
110 printf("%s is not set\n", name);
115 print_start_section(const char *json_title, const char *plain_title,
116 const char *define_comment, const char *define_prefix)
119 jsonw_name(json_wtr, json_title);
120 jsonw_start_object(json_wtr);
121 } else if (define_prefix) {
122 printf("%s\n", define_comment);
124 printf("%s\n", plain_title);
128 static void print_end_section(void)
131 jsonw_end_object(json_wtr);
136 /* Probing functions */
138 static int read_procfs(const char *path)
140 char *endptr, *line = NULL;
145 fd = fopen(path, "r");
149 res = getline(&line, &len, fd);
155 res = strtol(line, &endptr, 10);
156 if (errno || *line == '\0' || *endptr != '\n')
163 static void probe_unprivileged_disabled(void)
167 /* No support for C-style ouptut */
169 res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
171 jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
175 printf("bpf() syscall for unprivileged users is enabled\n");
178 printf("bpf() syscall restricted to privileged users\n");
181 printf("Unable to retrieve required privileges for bpf() syscall\n");
184 printf("bpf() syscall restriction has unknown value %d\n", res);
189 static void probe_jit_enable(void)
193 /* No support for C-style ouptut */
195 res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
197 jsonw_int_field(json_wtr, "bpf_jit_enable", res);
201 printf("JIT compiler is disabled\n");
204 printf("JIT compiler is enabled\n");
207 printf("JIT compiler is enabled with debugging traces in kernel logs\n");
210 printf("Unable to retrieve JIT-compiler status\n");
213 printf("JIT-compiler status has unknown value %d\n",
219 static void probe_jit_harden(void)
223 /* No support for C-style ouptut */
225 res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
227 jsonw_int_field(json_wtr, "bpf_jit_harden", res);
231 printf("JIT compiler hardening is disabled\n");
234 printf("JIT compiler hardening is enabled for unprivileged users\n");
237 printf("JIT compiler hardening is enabled for all users\n");
240 printf("Unable to retrieve JIT hardening status\n");
243 printf("JIT hardening status has unknown value %d\n",
249 static void probe_jit_kallsyms(void)
253 /* No support for C-style ouptut */
255 res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
257 jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
261 printf("JIT compiler kallsyms exports are disabled\n");
264 printf("JIT compiler kallsyms exports are enabled for root\n");
267 printf("Unable to retrieve JIT kallsyms export status\n");
270 printf("JIT kallsyms exports status has unknown value %d\n", res);
275 static void probe_jit_limit(void)
279 /* No support for C-style ouptut */
281 res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
283 jsonw_int_field(json_wtr, "bpf_jit_limit", res);
287 printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
290 printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
295 static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
300 while (gzgets(file, buf, n)) {
301 if (strncmp(buf, "CONFIG_", 7))
304 sep = strchr(buf, '=');
308 /* Trim ending '\n' */
309 buf[strlen(buf) - 1] = '\0';
311 /* Split on '=' and ensure that a value is present. */
323 static void probe_kernel_image_config(const char *define_prefix)
325 static const struct {
326 const char * const name;
331 /* Enable bpf() syscall */
332 { "CONFIG_BPF_SYSCALL", },
333 /* Does selected architecture support eBPF JIT compiler */
334 { "CONFIG_HAVE_EBPF_JIT", },
335 /* Compile eBPF JIT compiler */
336 { "CONFIG_BPF_JIT", },
337 /* Avoid compiling eBPF interpreter (use JIT only) */
338 { "CONFIG_BPF_JIT_ALWAYS_ON", },
339 /* Kernel BTF debug information available */
340 { "CONFIG_DEBUG_INFO_BTF", },
341 /* Kernel module BTF debug information available */
342 { "CONFIG_DEBUG_INFO_BTF_MODULES", },
345 { "CONFIG_CGROUPS", },
346 /* BPF programs attached to cgroups */
347 { "CONFIG_CGROUP_BPF", },
348 /* bpf_get_cgroup_classid() helper */
349 { "CONFIG_CGROUP_NET_CLASSID", },
350 /* bpf_skb_{,ancestor_}cgroup_id() helpers */
351 { "CONFIG_SOCK_CGROUP_DATA", },
353 /* Tracing: attach BPF to kprobes, tracepoints, etc. */
354 { "CONFIG_BPF_EVENTS", },
356 { "CONFIG_KPROBE_EVENTS", },
358 { "CONFIG_UPROBE_EVENTS", },
360 { "CONFIG_TRACING", },
361 /* Syscall tracepoints */
362 { "CONFIG_FTRACE_SYSCALLS", },
363 /* bpf_override_return() helper support for selected arch */
364 { "CONFIG_FUNCTION_ERROR_INJECTION", },
365 /* bpf_override_return() helper */
366 { "CONFIG_BPF_KPROBE_OVERRIDE", },
371 { "CONFIG_XDP_SOCKETS", },
372 /* BPF_PROG_TYPE_LWT_* and related helpers */
373 { "CONFIG_LWTUNNEL_BPF", },
374 /* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
375 { "CONFIG_NET_ACT_BPF", },
376 /* BPF_PROG_TYPE_SCHED_CLS, TC filters */
377 { "CONFIG_NET_CLS_BPF", },
378 /* TC clsact qdisc */
379 { "CONFIG_NET_CLS_ACT", },
380 /* Ingress filtering with TC */
381 { "CONFIG_NET_SCH_INGRESS", },
382 /* bpf_skb_get_xfrm_state() helper */
384 /* bpf_get_route_realm() helper */
385 { "CONFIG_IP_ROUTE_CLASSID", },
386 /* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
387 { "CONFIG_IPV6_SEG6_BPF", },
388 /* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
389 { "CONFIG_BPF_LIRC_MODE2", },
390 /* BPF stream parser and BPF socket maps */
391 { "CONFIG_BPF_STREAM_PARSER", },
392 /* xt_bpf module for passing BPF programs to netfilter */
393 { "CONFIG_NETFILTER_XT_MATCH_BPF", },
394 /* bpfilter back-end for iptables */
395 { "CONFIG_BPFILTER", },
396 /* bpftilter module with "user mode helper" */
397 { "CONFIG_BPFILTER_UMH", },
399 /* test_bpf module for BPF tests */
400 { "CONFIG_TEST_BPF", },
402 /* Misc configs useful in BPF C programs */
403 /* jiffies <-> sec conversion for bpf_jiffies64() helper */
404 { "CONFIG_HZ", true, }
406 char *values[ARRAY_SIZE(options)] = { };
415 snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
417 /* gzopen also accepts uncompressed files. */
418 file = gzopen(path, "r");
422 /* Some distributions build with CONFIG_IKCONFIG=y and put the
423 * config file at /proc/config.gz.
425 file = gzopen("/proc/config.gz", "r");
428 p_info("skipping kernel config, can't open file: %s",
433 if (!gzgets(file, buf, sizeof(buf)) ||
434 !gzgets(file, buf, sizeof(buf))) {
435 p_info("skipping kernel config, can't read from file: %s",
439 if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
440 p_info("skipping kernel config, can't find correct file");
444 while (read_next_kernel_config_option(file, buf, sizeof(buf), &value)) {
445 for (i = 0; i < ARRAY_SIZE(options); i++) {
446 if ((define_prefix && !options[i].macro_dump) ||
447 values[i] || strcmp(buf, options[i].name))
450 values[i] = strdup(value);
458 for (i = 0; i < ARRAY_SIZE(options); i++) {
459 if (define_prefix && !options[i].macro_dump)
461 print_kernel_option(options[i].name, values[i], define_prefix);
466 static bool probe_bpf_syscall(const char *define_prefix)
470 bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
471 res = (errno != ENOSYS);
473 print_bool_feature("have_bpf_syscall",
482 probe_prog_type(enum bpf_prog_type prog_type, bool *supported_types,
483 const char *define_prefix, __u32 ifindex)
485 char feat_name[128], plain_desc[128], define_name[128];
486 const char *plain_comment = "eBPF program_type ";
491 /* Only test offload-able program types */
493 case BPF_PROG_TYPE_SCHED_CLS:
494 case BPF_PROG_TYPE_XDP:
500 res = bpf_probe_prog_type(prog_type, ifindex);
502 /* Probe may succeed even if program load fails, for unprivileged users
503 * check that we did not fail because of insufficient permissions
505 if (run_as_unprivileged && errno == EPERM)
509 supported_types[prog_type] |= res;
511 if (!prog_type_name[prog_type]) {
512 p_info("program type name not found (type %d)", prog_type);
515 maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
516 if (strlen(prog_type_name[prog_type]) > maxlen) {
517 p_info("program type name too long");
521 sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
522 sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
523 uppercase(define_name, sizeof(define_name));
524 sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
525 print_bool_feature(feat_name, plain_desc, define_name, res,
530 probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
533 char feat_name[128], plain_desc[128], define_name[128];
534 const char *plain_comment = "eBPF map_type ";
538 res = bpf_probe_map_type(map_type, ifindex);
540 /* Probe result depends on the success of map creation, no additional
541 * check required for unprivileged users
544 if (!map_type_name[map_type]) {
545 p_info("map type name not found (type %d)", map_type);
548 maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
549 if (strlen(map_type_name[map_type]) > maxlen) {
550 p_info("map type name too long");
554 sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
555 sprintf(define_name, "%s_map_type", map_type_name[map_type]);
556 uppercase(define_name, sizeof(define_name));
557 sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
558 print_bool_feature(feat_name, plain_desc, define_name, res,
563 probe_helper_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
564 const char *define_prefix, unsigned int id,
565 const char *ptype_name, __u32 ifindex)
569 if (supported_type) {
570 res = bpf_probe_helper(id, prog_type, ifindex);
572 /* Probe may succeed even if program load fails, for
573 * unprivileged users check that we did not fail because of
574 * insufficient permissions
576 if (run_as_unprivileged && errno == EPERM)
583 jsonw_string(json_wtr, helper_name[id]);
584 } else if (define_prefix) {
585 printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
586 define_prefix, ptype_name, helper_name[id],
590 printf("\n\t- %s", helper_name[id]);
595 probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
596 const char *define_prefix, __u32 ifindex)
598 const char *ptype_name = prog_type_name[prog_type];
603 /* Only test helpers for offload-able program types */
605 case BPF_PROG_TYPE_SCHED_CLS:
606 case BPF_PROG_TYPE_XDP:
613 sprintf(feat_name, "%s_available_helpers", ptype_name);
614 jsonw_name(json_wtr, feat_name);
615 jsonw_start_array(json_wtr);
616 } else if (!define_prefix) {
617 printf("eBPF helpers supported for program type %s:",
621 for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
622 /* Skip helper functions which emit dmesg messages when not in
626 case BPF_FUNC_trace_printk:
627 case BPF_FUNC_probe_write_user:
632 probe_helper_for_progtype(prog_type, supported_type,
633 define_prefix, id, ptype_name,
639 jsonw_end_array(json_wtr);
640 else if (!define_prefix)
645 probe_large_insn_limit(const char *define_prefix, __u32 ifindex)
649 res = bpf_probe_large_insn_limit(ifindex);
650 print_bool_feature("have_large_insn_limit",
651 "Large program size limit",
657 section_system_config(enum probe_component target, const char *define_prefix)
660 case COMPONENT_KERNEL:
661 case COMPONENT_UNSPEC:
662 print_start_section("system_config",
663 "Scanning system configuration...",
664 "/*** Misc kernel config items ***/",
666 if (!define_prefix) {
667 if (check_procfs()) {
668 probe_unprivileged_disabled();
671 probe_jit_kallsyms();
674 p_info("/* procfs not mounted, skipping related probes */");
677 probe_kernel_image_config(define_prefix);
685 static bool section_syscall_config(const char *define_prefix)
689 print_start_section("syscall_config",
690 "Scanning system call availability...",
691 "/*** System call availability ***/",
693 res = probe_bpf_syscall(define_prefix);
700 section_program_types(bool *supported_types, const char *define_prefix,
705 print_start_section("program_types",
706 "Scanning eBPF program types...",
707 "/*** eBPF program types ***/",
710 for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
711 probe_prog_type(i, supported_types, define_prefix, ifindex);
716 static void section_map_types(const char *define_prefix, __u32 ifindex)
720 print_start_section("map_types",
721 "Scanning eBPF map types...",
722 "/*** eBPF map types ***/",
725 for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
726 probe_map_type(i, define_prefix, ifindex);
732 section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
736 print_start_section("helpers",
737 "Scanning eBPF helper functions...",
738 "/*** eBPF helper functions ***/",
743 " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
744 " * to determine if <helper_name> is available for <prog_type_name>,\n"
746 " * #if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
747 " * // do stuff with this helper\n"
749 " * // use a workaround\n"
752 "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper) \\\n"
753 " %sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
754 define_prefix, define_prefix, define_prefix,
756 for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
757 probe_helpers_for_progtype(i, supported_types[i], define_prefix,
763 static void section_misc(const char *define_prefix, __u32 ifindex)
765 print_start_section("misc",
766 "Scanning miscellaneous eBPF features...",
767 "/*** eBPF misc features ***/",
769 probe_large_insn_limit(define_prefix, ifindex);
774 #define capability(c) { c, false, #c }
775 #define capability_msg(a, i) a[i].set ? "" : a[i].name, a[i].set ? "" : ", "
778 static int handle_perms(void)
784 char name[14]; /* strlen("CAP_SYS_ADMIN") */
786 capability(CAP_SYS_ADMIN),
789 capability(CAP_NET_ADMIN),
790 capability(CAP_PERFMON),
793 cap_value_t cap_list[ARRAY_SIZE(bpf_caps)];
794 unsigned int i, nb_bpf_caps = 0;
795 bool cap_sys_admin_only = true;
796 cap_flag_value_t val;
800 caps = cap_get_proc();
802 p_err("failed to get capabilities for process: %s",
808 if (CAP_IS_SUPPORTED(CAP_BPF))
809 cap_sys_admin_only = false;
812 for (i = 0; i < ARRAY_SIZE(bpf_caps); i++) {
813 const char *cap_name = bpf_caps[i].name;
814 cap_value_t cap = bpf_caps[i].cap;
816 if (cap_get_flag(caps, cap, CAP_EFFECTIVE, &val)) {
817 p_err("bug: failed to retrieve %s status: %s", cap_name,
822 if (val == CAP_SET) {
823 bpf_caps[i].set = true;
824 cap_list[nb_bpf_caps++] = cap;
827 if (cap_sys_admin_only)
828 /* System does not know about CAP_BPF, meaning that
829 * CAP_SYS_ADMIN is the only capability required. We
830 * just checked it, break.
835 if ((run_as_unprivileged && !nb_bpf_caps) ||
836 (!run_as_unprivileged && nb_bpf_caps == ARRAY_SIZE(bpf_caps)) ||
837 (!run_as_unprivileged && cap_sys_admin_only && nb_bpf_caps)) {
838 /* We are all good, exit now */
843 if (!run_as_unprivileged) {
844 if (cap_sys_admin_only)
845 p_err("missing %s, required for full feature probing; run as root or use 'unprivileged'",
848 p_err("missing %s%s%s%s%s%s%s%srequired for full feature probing; run as root or use 'unprivileged'",
849 capability_msg(bpf_caps, 0),
851 capability_msg(bpf_caps, 1),
852 capability_msg(bpf_caps, 2),
853 capability_msg(bpf_caps, 3)
855 "", "", "", "", "", ""
861 /* if (run_as_unprivileged && nb_bpf_caps > 0), drop capabilities. */
862 if (cap_set_flag(caps, CAP_EFFECTIVE, nb_bpf_caps, cap_list,
864 p_err("bug: failed to clear capabilities: %s", strerror(errno));
868 if (cap_set_proc(caps)) {
869 p_err("failed to drop capabilities: %s", strerror(errno));
876 if (cap_free(caps) && !res) {
877 p_err("failed to clear storage object for capabilities: %s",
884 /* Detection assumes user has specific privileges.
885 * We do not use libpcap so let's approximate, and restrict usage to
889 p_err("full feature probing requires root privileges");
894 #endif /* USE_LIBCAP */
897 static int do_probe(int argc, char **argv)
899 enum probe_component target = COMPONENT_UNSPEC;
900 const char *define_prefix = NULL;
901 bool supported_types[128] = {};
908 if (is_prefix(*argv, "kernel")) {
909 if (target != COMPONENT_UNSPEC) {
910 p_err("component to probe already specified");
913 target = COMPONENT_KERNEL;
915 } else if (is_prefix(*argv, "dev")) {
918 if (target != COMPONENT_UNSPEC || ifindex) {
919 p_err("component to probe already specified");
925 target = COMPONENT_DEVICE;
927 ifindex = if_nametoindex(ifname);
929 p_err("unrecognized netdevice '%s': %s", ifname,
933 } else if (is_prefix(*argv, "full")) {
936 } else if (is_prefix(*argv, "macros") && !define_prefix) {
939 } else if (is_prefix(*argv, "prefix")) {
940 if (!define_prefix) {
941 p_err("'prefix' argument can only be use after 'macros'");
944 if (strcmp(define_prefix, "")) {
945 p_err("'prefix' already defined");
952 define_prefix = GET_ARG();
953 } else if (is_prefix(*argv, "unprivileged")) {
955 run_as_unprivileged = true;
958 p_err("unprivileged run not supported, recompile bpftool with libcap");
962 p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
968 /* Full feature detection requires specific privileges.
969 * Let's approximate, and warn if user is not root.
975 define_prefix = NULL;
976 jsonw_start_object(json_wtr);
979 section_system_config(target, define_prefix);
980 if (!section_syscall_config(define_prefix))
981 /* bpf() syscall unavailable, don't probe other BPF features */
982 goto exit_close_json;
983 section_program_types(supported_types, define_prefix, ifindex);
984 section_map_types(define_prefix, ifindex);
985 section_helpers(supported_types, define_prefix, ifindex);
986 section_misc(define_prefix, ifindex);
990 /* End root object */
991 jsonw_end_object(json_wtr);
996 static int do_help(int argc, char **argv)
999 jsonw_null(json_wtr);
1004 "Usage: %1$s %2$s probe [COMPONENT] [full] [unprivileged] [macros [prefix PREFIX]]\n"
1007 " COMPONENT := { kernel | dev NAME }\n"
1009 bin_name, argv[-2]);
1014 static const struct cmd cmds[] = {
1015 { "probe", do_probe },
1016 { "help", do_help },
1020 int do_feature(int argc, char **argv)
1022 return cmd_select(cmds, argc, argv, do_help);